Your data rights · UK guide

Get a copy of everything they hold on you.

Last verified 20 Jun 2026 · Source ICO + UK data protection law

You have the legal right to ask any UK organisation — your bank, employer, landlord, council, GP, an insurer, a debt collector — for a copy of the personal data it holds about you. It’s called a Subject Access Request (SAR). It’s free, you don’t need to give a reason, and they must reply within one month. Here’s how to do it, with a ready-to-send template.

£0Free in almost all cases
1 monthTo respond
No reasonNeeded to ask
ICOEnforces it free
How to make one → Copy the template

What a SAR gets you

Under UK data protection law you have a right of access to your own personal data. When you make a SAR, the organisation must give you:

  • a copy of the personal data it holds about you;
  • why it’s using your data, and the lawful basis for doing so;
  • who it shares your data with;
  • how long it will keep it;
  • where the data came from, if not from you.

It’s a powerful, free tool. People use SARs to get their medical records, work files, bank or insurance records, CCTV of themselves, emails that mention them, a debt collector’s file, and evidence for a complaint, dispute, appeal or tribunal.

How to make one

  1. Find the right contact. Check the organisation’s privacy policy for a data protection officer or privacy email. A request to any part of the organisation still counts.
  2. Ask clearly. Say you’re making a subject access request and want a copy of the personal data they hold about you. You can ask verbally, but writing (email) gives you a record.
  3. Be specific to get a faster reply. If you only need certain records (e.g. “my account notes from Jan–Jun 2026”), say so — a focused request is usually answered faster.
  4. Prove who you are if asked. They can ask for ID to be sure it’s really you. The one-month clock only starts once they have what they reasonably need.
The one-month deadline — and when it can pause

They must respond within one month. They can extend by up to two more months for complex or numerous requests, but must tell you within the first month and say why.

The clock can be paused if they reasonably need ID, if they need to clarify a very broad request, or where a permitted fee applies — but they can’t use this to stall.

A ready-to-send template

Copy, fill in the brackets, and email it:

Dear [organisation],

Subject access request

I am making a subject access request under UK data protection law. Please provide a copy of all the personal data you hold about me, together with the supplementary information you are required to give (the purposes, the lawful basis, who you share it with, how long you keep it, and the source of the data).

My details: [full name], [address], [date of birth], [any account/reference number].

[Optional — to focus it: I am specifically asking for: ...]

Please confirm receipt and respond within one month. If you need anything from me to verify my identity, please tell me promptly so the time limit can begin.

Yours faithfully,
[your name]

Keep a dated copy of what you send.

If they ignore you or refuse

You have a clear escalation route, and it’s free:

StepWhat to do
1. Chase in writingRemind them of the one-month deadline and that you’ll complain to the ICO if they don’t comply.
2. Complain to the organisationUse their formal complaints process and ask for a final response.
3. Complain to the ICOThe Information Commissioner’s Office is the UK data regulator. It can investigate and order them to comply — no solicitor, no fee.

Organisations can withhold some information — for example data about other people, or where a specific legal exemption applies — but they must still respond and explain. They can’t simply ignore a SAR.

Do this now
  1. Find the organisation’s privacy/data-protection email (in its privacy policy).
  2. Send the template above — and keep a dated copy.
  3. Diary one month ahead. No proper reply? Chase, then complain free to the ICO.

Free help: the ICO (ico.org.uk) · Citizens Advice 0800 144 8848. This is general information, not legal advice.

Source verification Primary source: the Information Commissioner’s Office (ICO) guidance on the right of access and subject access requests, and UK data protection law (the UK GDPR / Data Protection Act 2018, as amended by the Data (Use and Access) Act). Last verified 20 June 2026. Confidence: High — a SAR is free in almost all cases (a reasonable fee only for manifestly unfounded/excessive requests or extra copies), there’s no need to give a reason, the response deadline is one month (extendable to three for complex requests with notice), the clock can pause for ID/clarification, and the ICO enforces it. Some data can be lawfully withheld (e.g. third-party data or specific exemptions). SortedUK is independent — not a government service or a law firm, and this is general information, not legal advice.

Subject Access Requests — common questions

Do I have to say why I want my data?

No. You never have to give a reason for a subject access request. Being specific about what you want can speed up the reply, but it’s entirely optional.

Can they charge me?

Almost never. It’s free unless the request is manifestly unfounded or excessive, or you’re asking for additional copies of information already provided — then a reasonable fee can apply. A flat “admin fee” just for asking isn’t allowed.

Can I make a SAR to my employer or ex-employer?

Yes. Employers and former employers hold personal data about you and must respond to a SAR like any other organisation — useful for grievances, disciplinary disputes or tribunal evidence.

What if the records have errors?

You also have the right to have inaccurate personal data corrected (the right to rectification). Once you’ve seen your data via a SAR, you can ask the organisation to fix anything that’s wrong.

Your data. Your right. Your copy.

Send the request, diary one month, and escalate free to the ICO if they stall. Want a hand wording it for your situation?

Ask Sorted to help → How to complain